On 4 Dec 2023, at 08:21, Michael Hare via NANOG <nanog@nanog.org> wrote:
John-
This is little consolation, but at AS3128, I see the same thing to our downstream at times, claiming to come from both 13335 and 15169 often simultaneously at the tune of 25Kpps , "assuming it's not spoofed", which is pragmatically impossible to prove for me given our indirect relationships with these companies. When I see these events, I typically also see a wide variety of country codes participating simultaneously. Again, assuming it's not spoofed. To me it just looks like effective harassment with 13335/15169 helping out. I pine for the internet of the 1990s.
Just set TC=1 for those clients. If you get queries over TCP then they where not spoofed. If they are using DNS COOKIE (RFC 7873) you can send back BADCOOKIE to the initial (client cookie only) UDP request with your server cookie. Identifying real DNS clients has been possible for years now. It’s not hard. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org